View and manage aggregated alerts

Verify that your administrator role has the permissions required to use the Alerts view. The permissions for the Alerts view are contained in the Common section. The View alerts permission provides read-only access to the Alerts view. You require the Edit alerts and Delete alerts permissions to make changes to alert groups and individual alerts in this view. For more information, see Setting up administrators.
  1. In the Aurora Multi-Tenant Console, on the menu bar, click Alerts.
    To select the columns that you want to display, scroll to the right and click Column selection icon.
  2. Do any of the following:

    Task

    Steps

    Filter and sort alert groups.
    1. Click Column filter icon on a column and type or select the filter criteria. You can do any of the following:
      • Apply multiple filter criteria at once. To remove a filter, click x for that filter.
      • If you want to filter by Classification, Sub-classification, Description, or Key Indicators, do one of the following:
        • To find exact matches, click Settings icon > is equal to. Type a value to view matches. Click up to 5 matches to add to the filtering list, then click Apply.
        • To find matches that contain the specified value, click Settings icon > contains. Type one or more values (click Add icon to add additional values). Click Apply.

        When you view the results, you can click the filter displayed at the top of the screen to add or remove filter criteria.

      • If you filter by Count, click Settings icon for additional options (greater than, less than, and so on).
      • Filter by Product to scope results to specific Aurora Endpoint Security services.
      • Filter by Detection Time to scope results to a specific date and time range.
      • Filter by Tenant to scope results from a specific tenant.
    2. To sort the alert groups in ascending or descending order by a column, click the name of the column (where applicable).

    View details for key indicators of an alert group and filter alert groups by key indicator type or value.
    1. Hover over a key indicator icon to see the type of object or event. Click an icon to view details.
    2. Where applicable, to view the full text of a truncated string value, hover over it and click The View icon..
    3. Where applicable, to copy a value, hover over it and click The Copy icon..
    4. To filter alert groups by key indicator, hover over it and click The Filter icon..

    View details for an alert group and individual alerts.
    1. Click an alert group.
    2. To view the details for key indicators associated with the group, in the left pane, click Key Indicators. Expand the key indicators to review details and view relationships between instigating and target objects. This view will show a single set of key indicators associated with individual events (files, users, executables, processes, and so on).

      For example, you may see a "parent" process object or executable file that is the instigating process for a "child" process. Events or objects at the same level are considered "siblings" under the same parent.

      Where applicable, you can hover over values and click The View icon. to view full text strings or The Copy icon. to copy the value.

    3. For the individual device alerts, do any of the following:
      • Sort and filter the alert information.
      • Add or change labels for the alerts.

      The alert status and assigned user can be managed through the individual tenant.

    4. To open the details panel for an individual alert, click the alert. Do any of the following:
      • If applicable, you can click Detection Detail to view further details and actions from a tenant's console with support login. The Detection Detail link will remain active for 60 days for Aurora Protect Desktop threat alerts and for 30 days for other types of alerts.
      • Expand the artifacts associated with the alert to review details and view relationships between instigating and target objects and events. The complete set of objects associated with a detection rule are included in the artifacts view.

        Where applicable, you can hover over values and click The View icon. to view full text strings or The Copy icon. to copy the value.

    Change the status of alert groups.
    Do any of the following:
    • To change the status of an alert group, in the Status drop-down list, click the appropriate status.
    • To change the status of multiple alert groups, select the alert groups, click Change Status, click the appropriate status, and click Apply.

    See Status changes for alerts.

    Add or change the label for alert groups.

    You can add custom labels to alert groups to provide short notes or reminders or to use as filter criteria. To view labels you must set the Labels column to display.

    1. Select one or more alert groups.
    2. Click Change Labels.
    3. Type a label and press ENTER or search for and select an existing label.
    4. Click Apply.

    To remove a label, click the label, click the x icon, and click Apply.

    Export alert data to a CSV file.
    Do any of the following:
    • To export details for all alert groups, click Export icon.
    • To export details for all of the alerts within a group, click an alert group, then click Export icon.

    Remove alert groups.
    1. Select one or more alert groups.
    2. Click Delete.
    3. Click Delete again to confirm.